People should have rights over their data; firms mere custodians, says Trai

Terming the existing data protection framework as inadequate, the Telecom Regulatory Authority of India (Trai) in a set of recommendations to DoT said that companies should not use meta-data to identify users and should disclose any data breaches.

In significant recommendations concerning privacy, Trai said today firms collecting user data don't have a right over it and emphasised that consumers' consent should be mandatory and they should also be given the 'Right to be Forgotten'.

Terming the existing data protection framework as inadequate, the Telecom Regulatory Authority of India (Trai) in a set of recommendations to DoT said that companies should not use meta-data to identify users and should disclose any data breaches.

Stating that each user owns his/her personal data and information submitted to any entity, it said entities controlling and processing user data are "mere custodians" and all of them should be brought under a data protection framework.

The government, it said, must notify policy framework to regulate devices, operating systems, browsers and applications.

Batting for telecom consumers, Trai said in its recommendation to the Department of Telecom that users be granted the right to choice, consent and to be forgotten to safeguard privacy.

It has suggested that all entities in the digital ecosystem be brought under a data protection framework to guard against the misuse of personal data of telecom consumers.

The recommendations assume significance as issues around data protection have come into the spotlight, and privacy concerns have amplified in the wake of the recent Facebook data leak fiasco.

Recommending a series of measures on "privacy, security and ownership of data in telecom sector", Trai held that consumers are owners of their data and that entities controlling, processing their information are "mere custodians and do not have primary rights over this data".

"The Right to Choice, Notice, Consent, Data Portability, and Right to be Forgotten should be conferred upon the telecommunication consumers," it added.

This is first time 'Right to be Forgotten' has been given weightage by an Indian authority. It empowers users to delete past data that he may feel is unimportant or detrimental to his present position. Past data could be in terms of photographs, call records, video clippings and so on which could potentially harm the reputation of the consumer.

However, the regulator has added a rider that the right to data portability and right to be forgotten are restricted rights, and the same should be subject to applicable laws in this regard.

It has suggested that till a general data protection law is notified by the government, the existing rules applicable to telecom operators for protection of users' privacy be made applicable to all the entities in the digital ecosystem.

"For this purpose, the government should notify the policy framework for regulation of devices, operating systems, browsers and applications," Trai has recommended.

It said that in order to ensure sufficient choices to the users of digital services, detailing in the consent mechanism be built-in by service providers.

Trai has suggested that all entities in the digital ecosystem, including telecom operators should transparently disclose the information about the privacy breaches on their websites along with the action taken for mitigation, and preventing such breaches in future.

Trai had floated its discussion paper on the data privacy and security for telecom sector last year and had followed it up with an open house discussion in February this year.

When contacted, Trai Chairman R S Sharma told PTI that the regulator will also share its recommendations as inputs with the Justice B N Srikrishna Committee, which is working on a detailed data protection framework for the country.

Trai, in its 77-page recommendations, said, "The government should put in place a mechanism for redressal of telecommunication consumers' grievances relating to data ownership, protection, and privacy".

It has also favoured that entities getting control of data in any form should not be allowed to use "pre-ticked" boxes to gain users' consent.

When contacted, telecom industry body COAI Director General Rajan S Mathews said that one of the positive take aways from the recommendations is that Trai has talked about data privacy in the context of devices, operating systems, browsers and applications.

"We agree on the issue of making data privacy matters everyone concern including devices because data flows across the entire ecosystem," he said.